This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: From Botnets to Cross Site
Scripting Botnets monitoring Emergence of Bots
hacking scripts &
first IRC bot RPCSS 1993 1999 W32/PrettyPark
1st worm to
use IRC as
C&C 2000 2001 2002 W32/Agobot bot
design and significant
functionality 2003 W32/Sdbot
of bots developed
as a single binary 2004 2005 W32/Mytob
e-mail outbreak 2006 Present W32/Spybot
family emerged SpyBot worm
• The Spybot worm is a large family of computer worms of varying
• Although the actual number of versions is unknown, it is estimated
to be well into the thousands.
• This briefly held the record for most variants, but has subsequently
been surpassed by the Agobot family.
• Spybot variants generally have several things in common:
– The ability to spread via the popular P2P program KaZaA, often in
addition to other such programs.
– The ability to spread via at least vulnerability in the Microsoft Windows
operating system. Earlier versions mostly used the RPC DCOM buffer
overflow, although now some use the LSASS buffer overflow.
– The ability to spread via various common backdoor Trojan horses.
– The ability to spread to systems with weak administrative passwords. Large choice
• For bot software, an attacker has numerous
options,including Agobot, Phatbot, Forbot, XtremBot,
SDBot, Rbot, URBot, or UrXBot, Perl-based bots
• Whatever the choice, the software itself often leverages
several different known vulnerabilities, infecting and
spreading until it assembles a respectable bot force.
• Each host that the bot software compromises becomes a
node in a vast sleeper cell of machines awaiting an
• Generally, the compromised machines’ authorized users
have no idea their computers are subject to a third
• This is because a good bot spreads widely, quietly,and
unobtrusively. Tracking botnets
• Nepenthes -- Collect samples of autonomous spreading malware,
(war on errorism) http://nepenthes.mwcollect.org/ CW sandbox -- Automatically analyse a given sample,
http://www.cwsandbox.org/ (Behavior-based Malware Analysis)
• Botspy -- Observe a given botnet Lifetime of botnets
• One botnet was active for more than 250
• Approx. 15 - 20 new botnets every day
• Approx. 130 botnets at the same time
• Only about 50% are active for more than
• Problem: Some botnets run on public IRC
servers Cl Can the Law make a difference? The Botnet Economy
• Because botnets are associated with substantial illegal
revenue, a thriving underground economy has sprung up
around botnet activity.
• Rob Thomas of Team Cymru has written a
comprehensive paper on this economy: “The
Underground Economy - Priceless”.
• http://www.usenix.org/publications/login/2006-12/openpdfs/cymru.pdf • Peter Gutmann of the University of Auckland has written
another comprehensive paper: “The Commercial
Malware Industry” on this subject, tracing the evolution of
malware and botnets.
• http://www.cs.auckland.ac.nz/~pgut001/pubs/malware_biz.pdf Botherders offer “service level
agreements ”to clients
• Guaranteed replacement of botnet in case
anti-virus researchers release fix formal
ware or botnet is taken down
• Organized crime involved in all stages of
• Employ virus writers to create malware
• Carry out spam campaigns, espionage, ID
• Laundering of money stolen from victims The Botnet and the law
Botnet Herder Pleads Guilty to Massive PayPal Scam
• Virus Writers, Botherders, Clients
– Virus writer writes malware, infects computersto create botnet
– Botherder operates the botnet “command and control”(C&C)
– Clients hire botnets to distribute spam, launch Distributed Denial
of Service (DDoS) attacks to conduct identity theft • Highly developed underground channels of
• “Secret ”forums/chatrooms that shift location
• Access on a need to know basis, new entrants may need
to be vouched for by existing participant Developing countries
• The botnet problem (like the spam
problem) is the same problem worldwide,
but is particularly acute in emerging
Internet economies, owing to resource
scarcity and capacity issues.
• Government, industry, and civil society in
emerging Internet economies are often ill
equipped to deal with the catastrophic
effects of botnets. XSS XSS
• The most popular CSS/XSS attack (and
devastating) is the harvesting of authentication
cookies and session management tokens. With
this information, it is often a trivial exercise for an
attacker to hijack the victims active session,
completely bypassing the authentication
• The mechanism of the attack is not difficult and
can be automated. • Such scripts may be written in any number
of scripting languages, provided that the
client host can interpret the code.
• Scripting tags that are most often used to
embed malicious content include
<SCRIPT>, <OBJECT>, <APPLET> and
• Attacks, Client-side scripting
• Client-side scripting generally refers to the
class of computer programs on the web that are
executed client-side, by the user's web browser,
instead of server-side (on the web server)
• This type of computer programming is part of the
Dynamic HTML (DHTML) concept, enabling web
pages to have different and changing content
depending on user input, or other variables.
• Web authors write client-side scripts in
• Client-side scripts are often embedded within an
designed to have a similar look to Java, but be easier
for non-programmers to work with.
• The language is best known for its use in websites (as
scripting access to objects embedded in other
to the Java programming language, though both have
Java names and naming conventions. XSS uses vulnerability
• Java applets do not provide the attacker with
any access beyond the Document Object Model
(DOM) and are restricted to what is commonly
referred to as a sandbox.
• The most common web components that fall
victim to CSS/XSS vulnerabilities include CGI
scripts, search engines, interactive bulletin
boards, and custom error pages with poorly
written input validation routines.
– Additionally, a victim doesn’t necessarily have to click
on a link; CSS code can also be made to load
automatically in an HTML e-mail with certain
manipulations of the IMG or IFRAME HTML tags. Example:
• Vulnerable link looks like:
• The victim, upon clicking the link, will generate a request to www.vulnerable.site, as
GET /welcome.cgi?name=<script>alert(document.cookie)</script> HTTP/1.0
• Host: www.vulnerable.site
And the vulnerable site response would be:
Welcome to our system
</HTML> HyperText Markup Language
• HTML, is the predominant markup language for web
• It provides a means to describe the structure of textbased information in a document — by denoting certain
text as links, headings, paragraphs, lists, and so on —
and to supplement that text with interactive forms,
embedded images, and other objects.
• HTML is written in the form of tags, surrounded by angle
• HTML can include embedded scripting language code
which can affect the behavior of web browsers and other
HTML processors. HTML Tag
• <SCRIPT> Adds a script that is to be used in the
– type = Specifies the language of the script. Its value must be a
HTML 4.0 specification and is a recommended replacement for
the “language” attribute.
– language = Identifies the language of the script, such as
– src = Specifies the URL of an outside file containing the script to
be loaded and run with the document. (Netscape only) • Supported by: Netscape, IE 3+, HTML 4, Opera 3+
Hello World! <SCRIPT>malicious code</SCRIPT> <OBJECT>
• Places an object (such as an applet, media file, etc.) on a
document. The tag often contains information for retrieving ActiveX
controls that IE uses to display the object.
– classid = Identifies the class identifier of the object.
– codebase = Identifies the URL of the object’s codebase.
– codetype = Specifies the media type of the code. Examples of code
types include audio/basic, text/html, and image/gif. (IE and HTML 4.0
– data = Specifies the URL of the data used for the object.
– name = Specifies the name of the object to be referenced by scripts on
– standby = Specifies the message to display while the object loads.
– type = Specifies the media type for the data.
– usemap = Specifies the imagemap URL to use with the object. • Supported by: Netscape, IE, HTML 4 <EMBED>
• Embeds an object into the document. Embedded objects are most often multimedia
files that require special plug-ins to display. Specific media types and their respective
plug-ins may have additional proprietary attributes for controlling the playback of the
file. The closing tag is not always required, but is recommended. The tag was
dropped by the HTML 4.0 specification in favour of the <object> tag.
– • hidden = Hides the media file or player from view when set to yes.
name = Specifies the name for the embedded object for later reference within a script.
pluginspage = Specifies the URL for information on installing the appropriate plug-in.
src = Provides the URL to the file or object to be placed on the document. (Netscape 4+
and IE 4+ only)
code = Specifies the class name of the Java code to be executed. (IE only)
codebase = Specifies the base URL for the application. (IE only)
pluginurl = Specifies a source for installing the appropriate plug-in for the media file.
type = Specifies the MIME type of the plug-in needed to run the file. (Netscape only) Supported by: Netscape, IE 3+, Opera 3+ Hello World! <EMBED SRC="http://www.paedophile.com/movies/rape.mov"> Summary of the attack
• The attacker investigates an interesting site that normal users must
authenticate to gain access to, and that tracks the authenticated user
The attacker finds a CSS vulnerable page on the site, for instance
Using a little social engineering, the attacker creates a special link to the
site and embeds it in an HTML email that he sends to a long list of
Embedded within the special link are some coding elements specially
designed to transmit a copy of the victims cookie back to the attacker. For
Unknown to the victim, the attacker has now received a copy of their
The attacker now visits the web site and, by substituting his cookie
information with that of the victims, is now perceived to be the victim by
the server application. Code Insertion P
• security professions have discovered an ever increasing number of
methods for potentially embedding code within poorly configured
web applications. The following are some of the more common
• Inline Scripting
This insertion facet usually occurs due to poor error handling by the web
server or application component. The application fails to find the
requested page and reports an error which unfortunately includes the
unprocessed script data. • XSS is 95% percent avoidable with proper
filtering techniques on any user supplied
data. While making sure that every
element is filtered in large (and especially
legacy) web applications can be a
daunting task, properly implemented filters
can prevent your site from falling victim to
the above mentioned attack scenarios. You can’t bank on security Next big problems?
• New hacking technique exploits
common programming error
This is a bit of a
and once we
open it, it will be
just the tip of the
iceberg. Dangling pointers
• Jonathan Afek and Adi Sharabani of Watchfire stumbled
upon the method for remotely exploiting dangling
pointers by chance while they were running the
company's AppScan software against a Web server.
– Dangling pointers are errors in software code that fail to refer to
a valid object. Often the object that was referenced was deleted
without changing the value of the pointer • Dangling pointers are quite common, but security
experts and developers have said for years that there is
no practical way to exploit them, so they've been
considered quality-assurance problems and not security
• But now that has changed. Similar to BO
• "The common thought was that this kind of problem isn't exploitable.
But we looked at this and thought, wouldn't it be neat if we could
implement our own code on this server?" said Danny Allan,
research director at Watchfire, based in Waltham, Mass.
"The problem before was, you had to override the exact location that
the pointer was pointing to. It was considered impossible.
But we discovered a way to do this with generic dangling pointers
and run our own shell code."
"The long and short of it is, if you can determine the value of the
pointer, it's game over."
"The outcome is much like a buffer overflow. It's very severe," Allan
said. "This is a bit of a Pandora's box and once we open it, it will be
just the tip of the iceberg. “ Year of the Clever Rat
perfect ways to steal data and
1- One pioneering gang is taking over home
network routers instead of PC hard drives,
a sneakier way to hijack online accounts.
2- Another has perfected a way to use
compromised PCs to repeatedly click on
Internet ads to generate ad payments to the
3-Phishing specialists are putting finer
touches on scams to trick people into
divulging sensitive personal data on fake
4- Meanwhile, top-level crime rings are
getting stealthier and more efficient at
herding millions of compromised PCs,
referred to as bots, into networks that they
deploy to steal data, commit extortion and
spread spam. Routers
• One gang has begun sending out tainted email greeting cards that, when opened, give
the intruders control of the recipient's router.
– Targeting a router model popular in Mexico, these
crooks have defrauded patrons of a large Mexican
bank, (SYMC) • Copy cats now are the concern. "This attack
technique can be generalized quite easily to
go after multiple router brands and multiple
banks," Click fraud.
• This month, someone has tainted tens of
thousands of mom-and-pop e-commerce
sites, Landesman says.
• Clicking to one of these sites can trigger
ads selling fake anti-spyware or turn the
visitor's PC into a hub for clicking on Web
ads, while routing the ad payment to the
• Newly available at a French website: a
turn-key phishing kit with everything
needed to create bogus bank websites,
including templates of official-looking bank
letters requesting data.
• In another current scam, an e-mail targets
high-net-worth individuals with ruses
keying off the arrival of tax season. Phishing
• The first recorded mention of the term "phishing" is on
the alt.online-service.America-online Usenet newsgroup
on January 2, 1996, although the term may have
appeared earlier in the print edition of the hacker
magazine 2600. A phishing technique was described
in detail as early as 1987, in a paper and presentation
delivered to the International HP Users Group, Interex.
The term phishing is a variant of fishing, probably
influenced by phreaking, and alludes to the use of
increasingly sophisticated baits used in the hope of a
"catch" of financial information and passwords. The word
may also be linked to leetspeak, in which ph is a
common substitution for f. Photos to Fight Phishing?
• In a bid to stave off phishing attacks, Bank of America
is offering a new service that allows online customers to
verify that they are indeed at the bank's official site by
displaying an image that the customer supplies in
• The free service, called SiteKey and developed by
Passmark Security of Redwood City, Calif., lets
customers pick any image they have, then write a brief
phrase and select three "challenge questions.
– " When the customer next visits bankofamerica.com and enters
a username, clicking on the SiteKey button displays their chosen
image, embedded in the bank's site.
– Customers are prompted to answer one of the challenge
questions if they want to access their account from a different
• Pharming is a Hacker's attack aiming to redirect a website's traffic
to another, bogus website.
• Pharming can be conducted either by changing the hosts file on a
victim’s computer or by exploitation of a vulnerability in DNS server
• DNS servers are computers responsible for resolving Internet
names into their real addresses — they are the "signposts" of the
Internet. Compromised DNS servers are sometimes referred to as
• Pharming has become of major concern to businesses hosting
ecommerce and online banking websites.
– Sophisticated measures known as anti-pharming are required to protect
against this serious threat.
– Antivirus software and spyware removal software cannot protect against
pharming. • In recent years both pharming and phishing have been used to
steal identity information. Zhelatin
• Use of botnets for cybercrime has increased and
become more refined since 2002-3 when mass
mailer worms such as Sobig and Sober were
• 2007 generation botnets such as Zhelatin (
Storm Worm) are particularly aggressive using
advanced techniques such as fast-flux networks
to make it harder to shut down and even striking
back with denial of service (DDOS) attacks
against security researchers or vendors trying to
mitigate the botnet
• Gang (15M) Tactic The Internet battlefield
• The end of 2006 was difficult for antivirus companies
around the world.
– Virus researchers around the world were in a state of high alert,
mobilizing all their resources throughout the final quarter of the
year. • This was caused by the unprecedented long and
widespread attacks on the Internet caused by the
unknown authors of the Warezov family of email worms.
– The first examples of this worm appeared on the Internet in
October 2006, and were most active towards the end of the
month, when up to 20 new variants appeared in the space of 24
– By the end of 2006 we had detected more than 400 variants of
Warezov. In many ways, Warezov is extremely similar to the
• Bagle was the first to use this virus technology in order to provide
fresh material for spammers address databases - Warezov did
exactly the same. • Although Warezov is based on Mydoom.a source code, and Bagle
was a completely original program created by an unknown group of
virus writers, we are inclined to view these two worms as being
– Firstly, the way in which the epidemics were organized are extremely
similar, with a large number of variants being mass mailed within a short
period of time, which differ according to geographical region (e.g. the
variants mailed in Russia differed to those mailed in Europe).
– Secondly, their functionality - installing other worm modules from
Trojanized sites and collecting email addresses which are then sent to a
remote malicious user - is identical. Storm Worm =…
• On 18th January 2007, hurricane Kyrill swept Europe.
– The snowstorm took the lives of more than 30 people. Tens of thousands of
Europeans were left without light, mobile connections or normal transport.
– The world's attention was focused on the events which were covered by the
mass media around the clock. • On 20th January, another storm hit, but this time the victim was email. The
gigantic mass mailing contained messages with subjects like:
– • 230 dead as storm batters Europe.
Russian missle shot down Chinese satellite
Chinese missile shot down USA aircraft
Sadam Hussein alive!
Venezuelan leader: "Let's the War beginning".
Fidel Castro dead.
President of Russia Putin dead
Third World War just have started! ..= Email-Worm.Win32.Zhelatin.a.
• The attached files were actually a Trojan
program, which got classified as TrojanDownload.Win32.Small.dam and TrojanDownloader.Win32.Small.bet.
• This Trojan would download other components
to the victim machine with the result being a
new, extremely aggressive, network worm which
utilized rootkit technologies.
• Unofficially it was christened 'the Storm worm'.
• The official name given to it in our antivirus
databases was Email-Worm.Win32.Zhelatin.a. Cyberwar between gangs..
• War had been declared in cyberspace
between the groups producing Warezov
• Taking into account the size of the botnets
used by both groups, and their clear aim
to conduct a large number of attacks, the
situations was clear: this was threatening
to become one of the most serious
problems on the Internet in recent years. Warezov versus Zhelatin
• The authors of Warezov began responding to Zhelatin attacks in
March, and Bagle started periodically putting its head above the
ramparts several times a month from March onwards.
• At the end of last year, antivirus companies were only having to
combat attacks from a single groups, but now the complexity and
volume of the task had increased three times.
• And all of this was accompanied by an increase in spam and
– Almost 32% of all malicious code in mail traffic in March 2007 was made up of
– This was clearly a result of the epidemics caused by Bagle, Zhelatin and
– This malicious program is a typical phishing email, and millions of copies were
sent around the world. We also detected repeat sendings of this Trojan, which
was initially detected on 27th February 2007.
– The Trojan targets Branch Banking and Trust Company clients, luring them to
fake sites which are registered by malicious users in Croatia and the Cocos
(Vista) Sven Jaschan
• Until now, the best known cyber conflict was that
between Mydoom, Bagle and NetSky, back in
• The Internet was flooded with dozens of variants
of these worms:
– they scanned victim machines for their competitors
and took their place, deleting the original worm. • The war was brought to an end by the arrest of
18 year old Sven Jaschan, the author of NetSky,
• However, his creations remain one of the most
widespread worms in mail traffic. Sven Jaschan ...
View Full Document
This note was uploaded on 05/12/2008 for the course EPP 19601 taught by Professor Morel during the Spring '08 term at Carnegie Mellon.
- Spring '08